Wednesday, September 22 2021

Are business executives doing enough to mitigate supply chain risks? That’s the question for senior leaders in a year defined by the surge in malicious attacks such as those involving SolarWinds and Kaseya.

SecureDisruptions content director Jeremy Seth Davis spoke with Unbound Security CEO Yehuda Lindell about supply chain risks, the role of senior leadership in preventing attacks, and questions that must be posed to third-party vendors. Unbound Security provides cryptographic solutions to enterprises that work better in modern environments. Lindell has spent 20 years in computer science academia and cryptography research.

This transcript has been edited slightly for length and clarity.

As CEO of a fast-growing company, when evaluating vendors or entering into any contract with a third party, supply chain risk is something that I’m sure you look at. For those who are less aware, can you talk about what the risks really are? What does this look like if decision makers don’t get it right?

Often in the security domain, we talk about theoretical attacks, things that attackers could do in certain circumstances. But there have been a number of very high-profile supply channel attacks that we all know about and obviously many more that we don’t, and this goes back to 2012. A huge one was when all of the secrets inside the RSA Security one-time password tokens were stolen from RSA. This was downplayed initially but it turned out that attackers then used that to impersonate employees and break into Lockheed Martin. This isn’t confirmed, but the belief is they used that to steal the plans for the F-35. It’s a supply channel attack because you’re breaking into one organization in order to get into another organization.

In 2019, there was malicious firmware that was distributed to ASUS computers. Again, there was a specific target in mind, but they broke into ASUS in order to get a valid signature on malicious firmware for the computer and then used that to break in. More recently, there was SolarWinds which you all know about, and Mimecast which maybe is connected but we’re not sure.

All of these are real supply chain attacks that are out there. Organizations that aren’t aware of this really have a huge problem. We do have to understand, however, that this a problem that we can’t completely solve. The systems that are under our control are under our control, but that’s not enough. As soon as we interact with other organizations—as soon as we’re buying software that we install or even just using a SaaS offering— that exposes our information, our IP, or whatever else we need to protect. It exposes us externally if they happen to be broken.

As CEO, you want to make sure your vendors do not end up becoming the next SolarWinds or any of these examples. In most cases, an executive is generally not closely involved in procurement decisions. What are the takeaways and specific initial steps that an executive should take to avoid ending up in that situation?

I can give you a specific example when at Unbound when we purchased a SaaS HR solution. I wasn’t involved in the procurement. Whether it had one feature or another wasn’t something that I had to be involved in. We have people who have that responsibility. But I asked some very simple questions. First, I made sure that they had done penetration testing and we received their pen testing report. By the way, not all companies even wanted to give that to us. That’s already strange. Why shouldn’t you be providing that information?

It’s a basic step to verify that the vendor has hired a third party to try to attack their system and find flaws. The third party always issues a report, and the report always contains problems that need to be fixed. There are some high-severity problems, medium, and low — you don’t expect a company not to have any problems, but you do expect them to fix them. We had one specific example with one vendor who was our favorite vendor for the HR solution. They sent us the report but said that they only fixed the one severe bug and left the rest of them because they were worried that they’d introduce other problems if they fix them. This meant that they left a number of significant security flaws in the product and decided they weren’t going to fix them. Up to that point, they were our favorite. By the way, they’re a very fast-growing company, which is very scary because other companies seem to just not be asking these questions. My instructions to the HR team were, “We’re not buying from that vendor.” We’re going to buy from another vendor that might be more expensive. Maybe the UI isn’t as great. But obviously there are other good solutions out there.

Security has to be a priority. The biggest concern with that vendor wasn’t a matter of the specific problem that wasn’t fixed. Rather, their approach showed that they were not serious about security. I don’t want to buy from anyone who’s not serious about security. And that’s the message that executives need to get across to their teams: Before we buy any product—whether it’s SaaS or software that we install—are we asking the questions to make sure that they care about security? Do they have a CISO? Do they have someone who’s responsible for security and also understands security. If you have someone who understands security on your team, get them to have a conversation with the vendor—they will understand very quickly whether the vendor understands what they’re talking about and whether they take security seriously. Do they have secure software processes in place? Do their software engineers have yearly refresher courses about secure coding practices? There are many things that organizations have to do and when we purchase software for our organization, we need to make sure that they take security seriously.

It’s important to note: Even if they take security seriously, it doesn’t mean that a really sophisticated Russian or Chinese agency will not be able to breach their systems. Nation-state attackers are very powerful. But if they don’t take security seriously, it’s almost always the case that there are going to be serious flaws in their product.

This generally is referred to as third-party risk. But of course, there’s also fourth-party risk, etc., and so this process of evaluating your vendors is not necessarily a simple process, but executives can understand what the protocols are and what steps needs to be taken. When looking at your vendors’ vendors and their vendors, that of course becomes far more complicated. What would you suggest to others when evaluating those second-hand risks?

A lot of organizations do have evaluation procedures for vendors. The problem is that they are checklist evaluations: here’s a 50-page document, now go and fill in all of these answers. Do you use open source? Which open source? It’s a list of questions which although can be valuable, is often far from enough. The fact is that the vendors themselves are filling it in by themselves. Are they always honest? We can assume that they are, but unfortunately, that’s not always the case. But even if they are honest, it doesn’t mean they really understand what they’re doing.

That’s why I think the most important thing is to have someone in your security team speak to them and understand whether they really understand and care about security. That’s something that, in a one-hour call or even a half-hour call, you can really understand. There are certain things that I can ask you when I’m speaking to you face-to-face and I can very quickly judge whether you really understand what you’re talking about and whether you care about this topic, or if it’s something that’s sort of “I have this checklist and I need to make sure these things are done. As long as this is done, then I’m covered in case anything bad happens.”

I’m not necessarily interested in whether you’re covered and whether I can sue you or not. I’m interested in whether I am going to be breached because of you or not. It’s a different question. I have this feeling that the world is split into two types. There are those who care about security, and those who just care so that they can say, “I did all the best practices that I need to do.” We want to buy from those who really care about security. Again, not necessarily because they won’t be breached, but because there’s a much better chance that they’ll be safer. That means that they’ll spend money on it.

What size is your company before you hire a security expert whose entire responsibility is to make sure that your software is secure? You shouldn’t be a 1000-person company when you need to do that. You should be doing that very early on, but that’s an expensive investment. What tools do you buy?

I can tell you, not only do I not want to be breached by a third-party. At Unbound, we provide enterprise security software. I don’t want to be the vessel for someone else being breached. So, I want to make sure that my software is secure.

We take it seriously. It doesn’t mean we’re perfect. But that is really what the main message is. Yes, it’s fine to have policies and to have forms, but make sure that there’s real awareness, real understanding, and that they really care. Once you get to that point with everybody, that helps a lot.

Previous

The Week in Cybersecurity for Financial Executives: July 02

Next

NYDFS Ransomware Guidance: “We Must All Do Our Part”

Check Also

Widget

Don’t Miss

Cyber Deal Update: Upstream Security, Hunters, build.security

Khushi Arora

Upstream Security and Hunters complete Series C and Series A funding rounds, respectively. Elastic NV acquires build.security. Funding Upstream Security, an Israeli provider of automotive cybersecurity and a data analytics platform for connected vehicles, has closed a $62 million Series C funding round led by Mitsui Sumitomo Insurance, along with new investors I.D.I. Insurance, NextGen […]

Cyber Deal Update: Loop Secure, Intelligent Automation, Blumira

Khushi Arora

Tesserent acquires Loop Secure to complement its own services, and BlueHalo merges with Intelligent Automation. Blumira completes a Series A funding round. Mergers and Acquisitions Tesserent, an Australian network security company, has announced its intent to acquire Loop Secure, a provider of managed security services, governance risk and compliance, and offensive security services also based […]

Cyber Deal Update: FHIRBlocks, InfoSum

Khushi Arora

Healthcare cybersecurity company ConsenSys Health acquires FHIRBlocks. InfoSum and Monte Carlo close a Series B and Series C funding round, respectively. Mergers and Acquisitions Otava, a Michigan-headquartered cloud solutions provider, has announced its acquisition of NewCloud Networks, a Colorado-based cloud computing services provider. The acquisition provides Otava a product portfolio that includes security services, cloud […]

Cyber Deal Update: Carve Systems, Baffle, Certik

Khushi Arora

iVision acquires Carve Systems, Baffle closes a Series B funding round, and CertiK closes adds to its Series B funding round announced last month. Mergers and Acquisitions iVision, a Georgia-based provider of IT infrastructure and application solutions, has acquired Carve Systems, a New York-based cybersecurity company that provides security testing, security engineering, and security strategy […]

Cyber Executive Moves: Aegon Asset Management, Tego Cyber

Khushi Arora

Aegon Asset Management hires former COO of MN and Tego Cyber gains a new CISO. Aegon Asset Management, based in The Netherlands, has appointed Nicole Grootveld-Sandig as its chief technology officer. Grootveld-Sandig joins Aegon from the Dutch specialist pensions management company MN NV. Tego Cyber, a Nevada-based developer of cyber threat intelligence solutions, has hired […]

Cyber Deal Update: Appriss Insights, Espagon

Khushi Arora

Equifast acquires data analytics company Appriss Insights, while Cisco acquires observability provider Espagon. Mergers and Acquisitions Equifax, an Atlanta-based global data, analytics and technology company, has announced its acquisition of Appriss Insights, a Kentucky-based information technology company providing customized solutions to enhance security and financial processes for businesses, for $1.825 billion. “We are extending the […]